How to Configure PassTickets
PassTicketis a temporary substitute for the user’s password. Passtickets are encoded and encrypted. You use a PassTicket to access a specific application only, and you must use it within a few minutes of the time it is generated. Using PassTickets enables the z/OS components and products to authenticate a user ID without sending z/OS passwords through the network.
Follow this process to configure PassTickets:
- Configure the slapd.conf file and the ESM to permit PassTicket generation. By default, the CA LDAP application ID value is CALDAP. To override this value in the server, modify the slapd.conf ptktappl option.
- Configure PassTickets for the z/OS security product on each z/OS system hosting a CA LDAP server.
PassTicket Configuration to Connect to DB2
The CA LDAP Server Compliance Manager backend connects to DB2 to query report information. You can configure the CA LDAP Server to use a PassTicket to connect to DB2. For CA Compliance Manager to generate a PassTicket to DB2, the CA Compliance Manager must have the slapd.conf dbptktappl option specified with the DB2 LINKNAME. The CA Compliance Manager also requires the ESM configuration steps listed in the following sections. The DB2 LINKNAME is the second part of the DB2 LUNAME and is used as the 'applid' in the PassTicket Configuration Examples below.
In the examples below the LUNAME is "EXAMPLE.DDFDSN7" and the LINKNAME is "DDFDSN7".
There are several ways to obtain the LINKNAME. The best method for obtaining the LINKNAME is to ask your Database Administrator. The DB2 LUNAMEs are also listed in the console output corresponding to the DSNL004I message:
Example: DB2 Message in Console Log Output
DSNL004I ! DDF START COMPLETE 680 0090 LOCATION DSN7 0090 LU USILDA02.DDFDSN7 0090 GENERICLU -NONE 0090 DOMAIN example.ca.com 0090 TCPPORT 446 0090 SECPORT 0 0090 RESPORT 5001 0090 IPNAME -NONE
You can also identify the LUNAME by executing the DB2 -DISPLAY DDF command.
When issuing a DB2 command from the z/OS console, the hyphen (-) must be replaced with the specific command prefix for the DB2 region.
Example: DB2 Sample Command Output from -DISPLAY DDF
DSNL080I ! DSNLTDDF DISPLAY DDF REPORT FOLLOWS: DSNL081I STATUS=STARTD DSNL082I LOCATION LUNAME GENERICLU DSNL083I DSN7 EXAMPLE.DDFDSN7 -NONE DSNL084I TCPPORT=446 SECPORT=0 RESPORT=5001 IPNAME=-NONE DSNL085I IPADDR=::127.0.0.101 DSNL086I SQL DOMAIN=example.ca.com DSNL086I RESYNC DOMAIN=example.ca.com DSNL099I DSNLTDDF DISPLAY DDF REPORT COMPLETE
Use CA ACF2 to Configure PassTickets (Example)
This example shows how to use CA ACF2 to configure PassTickets. The security administrator should perform this procedure.
Follow these steps:
- Define the application session key by entering the following commands, if it has not already been set up:SET PROFILE(PTKTDATA) DIVISION(SSIGNON) INSERT applid SSKEY(FEDCBA9876543210) MULT-USEThis example demonstrates a complete key SSKEY value of 16 hexadecimal digits (creating an 8-byte or 64-bit key). Use the same application key on all systems in the configuration and keep the values "secret."
- Complete the PassTicket setup by entering the following commands:F ACF2,REBUILD(PTK),CLASS(P)The PassTicket record is now active in the system.
- Enable the started task user ID to generate PassTickets for the application by entering commands similar to the following:SET RESOURCE(PTK) RECKEY IRRPTAUTH ADD(applid.userid UID(uid-of-userid) SERVICE(UPDATE,READ) ALLOW)For detailed information about using CA ACF2 commands, see the CA ACF2 documentation.
Use CA Top Secret to Configure PassTickets (Example)
This example shows how to use CA Top Secret to configure PassTickets. The security administrator should perform this procedure.
Before you begin this procedure, verify that the PTKTDATA class and ownership for the PassTicket resource (IRRPTAUT) have not already been defined.
Follow these steps:
- Update the resource descriptor table (RDT) to define the PTKTDATA class by entering the following commands:PTKTDATA is not a predefined class.TSS ADDTO(RDT) RESCLASS(PTKTDATA) RESCODE(n) ACLST(ALL,READ,UPDATE) MAXLEN(37)The PTKTDATA resource is added to the RDT.Include RESCODE(n) in the range of 101 to 13F to make PTKTDATA a prefixed resource class.
- Assign ownership for the PassTicket resource (IRRPTAUT) by entering the following commands:TSS ADDTO(department) PTKTDATA(IRRPTAUT)IRRPTAUT is owned.
- Define the application session key by entering the following commands:TSS ADDTO(NDT) PSTKAPPL(applid) SESSKEY(0123456789ABCDEF) SIGNMULTIThis example demonstrates a complete key SESSKEY value of 16 hexadecimal digits (creating an 8-byte or 64-bit key). Use the same application key on all systems in the configuration and keep the values "secret."
- Permit access to the PassTicket resource defined in the previous step for the CA LDAP server by executing the following command:TSS PERMIT(stc-userid) PTKTDATA(IRRPTAUTH.applid) ACCESS(UPDATE)The parameter stc-userid refers to the ACID that you created when you created CA LDAP started task User IDs. The parameter is "CALDAP" by default.
For detailed information about using CA Top Secret commands, see the CA Top Secret documentation.
Use IBM RACF to Configure PassTickets (Example)
The following example shows how to use IBM RACF to configure PassTickets. An experienced security administrator must perform this procedure.
If the PTKTDATA class is defined, verify that it is defined as a generic class before creating the profiles. For more information about creating PassTickets using RACF, see the IBM RACF product documentation.
Follow these steps:
- Activate the PassTicket class by entering the following commands:SETROPTS CLASSACT(PTKTDATA) SETROPTS RACLIST(PTKTDATA)
- Define profiles for the applications in the PTKTDATA class for the application and specify the session key:RDEFINE PTKTDATA applid UACC(NONE) APPLDATA('NO REPLAY PROTECTION') - SSIGNON(KEYMASKED(0123456789ABCDEF)After you create the PTKTDATA class, you can change it with the RALTER command which is similar in syntax to RDEFINE.
- Allow the application ID (applid) to use PassTickets:PERMIT IRRPTAUTH.applid.* CLASS(PTKTDATA) ACCESS(UPDATE) ID(userid)
- useridSpecifies the value of the CA LDAP Server started task.
- Refresh the RACF PTKTDATA definition with the new profile:SETROPTS RACLIST(PTKTDATA) REFRESHFor detailed information about using RACF commands, see the IBM RACF documentation.